Your Toaster Has Been Hacked
Who will save the Internet of Things from the evil toaster bot-net?
Late last month, in the wake of a Mirai-malware hacking – in which millions of home devices from DVRs to webcams attacked core internet providers in a massive denial of service attack – Andrew McGill of Atlantic Media ran an experiment to understand how long it would take for an unprotected connected home device to be attacked by hackers.[1] With the help of Amazon’s web services, McGill created a fake “smart toaster” connected to the internet and waited. Within forty minutes, the first hacker attempted to wrest control of the toaster. From then it only took an additional fourteen minutes for the next attack. By the end of the day, McGill’s toaster had been attacked over 300 times.
Forecasters estimate that there are already 4 billion connected devices in use by consumers now, and that we will have over 13.5 billion connected consumer devices by 2020.[2] From your smart phone to your smart vacuum cleaner (cats and Roombas anyone?) to your programmable Christmas lights, connected, smart devices are building out a ubiquitous, machine-to-machine internet. Inert devices connected to nothing other than an electrical outlet will become the exception not the rule. With this increased ubiquity comes a broader attack surface for potential hackers to compromise and many more potential sources of data breach, for data that we may not even recognize is being collected as we go about our daily lives. As one friend likes to point out, when welcoming Amazon’s Alexa system into the home, it’s nice to think that you can press mute and prevent it from recording inside the home, but if compromised that mute button may just turn on a red LED.
Making the challenge more difficult, many hardware manufacturers are decades behind their software and computer compatriots in engineering cybersecurity into their product design. The recent Mirai attack was abetted by the number of manufacturers that released devices into the world with little but flimsy factory-programmed passwords protecting them. As McGill discovered in his adventure with the fake smart toaster, these factory-programmed passwords are often the first to be tested by hackers in an effort to take control of a device. But for most consumers, managing the passwords on their computer and smart phone is already a struggle – and to be honest, when was the last time many of us changed these passwords? Or even realized that our smart toaster had a password? And are we, the consumers really the ones responsible?
Enter Icon Labs which helps traditional manufacturers navigate the cyber security morass associated with connecting devices into the Internet of Things. By providing off-the-shelf and customizable cyber security solutions which can be “embedded” on physical products and devices, Icon Labs is providing a much needed solution for over 100 original equipment manufacturers, from Maytag to GE.[3] Icon Labs is just one of several players in the estimated $20 billion Internet of Things cybersecurity market.[4] Icon Labs specializes in providing solutions that work for connected devices, recognizing that the small memory and processing capacity of these devices presents unique challenges when it comes to protecting them. In addition, Icon Labs helps manufacturers manage and protect device passwords, recognizing that factory-produced passwords are often the first to be compromised as they were with the recent Mirai attack.
Icon Labs’ services may become even more valuable for manufacturers as the legal and regulatory regime surrounding the Internet of Things evolves. The question of who is responsible for maintaining the security of connected devices is still an open one today – but increasingly it looks like the original manufacturer may foot the bill. Already, the Federal Trade Commission has taken one enforcement action against a device manufacturer for selling insecure internet routers. And perhaps in recognition of potential product liability, a webcam manufacturer has issued a recall for several of the webcams that were used in last month’s Internet of Things denial of service attack.[5]
The Internet of Things is growing quickly as more devices from your doorbell to your toaster oven become connected to the internet, with more machines using the internet than human beings. Cybersecurity for the Internet of Things will have to grow up even faster. Companies like Icon Labs are well positioned to sell a much needed service to product manufacturers looking to prevent their appliances from becoming robotic slaves to the bot-net.
Word Count: 800
Image Credit: Disney’s Brave Little Toaster, from Wikia
[1] McGill, Andrew. The Inevitability of Being Hacked: We built a fake web toaster, and it was compromised in an hour. The Atlantic. October 28, 2016. (http://www.theatlantic.com/technology/archive/2016/10/we-built-a-fake-web-toaster-and-it-was-hacked-in-an-hour/505571/).
[2] Gartner Press Release. Gartner Says 6.4 Billion Connected Things Will Be in Use in 2016, Up 30 Percent from 2015. Nov. 10, 2015. (http://www.gartner.com/newsroom/id/3165317)
[3] Icon Labs Company Website. (http://www.iconlabs.com/prod/about).
[4] Business Insider Intelligence. IoT Security Market Report. February 2016. (http://www.businessinsider.com/iot-devices-are-changing-cybersecurity)
[5] Waddell, Kaveh. Who’s Responsible When Your DVR Launches a Cyberattack? The Atlantic Monthly. October 25, 2016. (http://www.theatlantic.com/technology/archive/2016/10/whos-responsible-when-your-dvr-launches-a-cyberattack/505322/).
Thanks for drawing attention to this major security issue with the rapidly developing world of IoT. As a consumer, I definitely think twice about furnishing my home with connected devices. Even with the promise of increased productivity and efficiency, it is hard to stomach the possibility that an object as benign as my toaster oven could be hacked into. As such, I agree with you that Icon Labs occupies an indispensable and highly valuable segment of the IoT ecosystem.
You raise a great point about the increasing risk of accountability that manufacturers face for any security breaches such as the Mirai malware hacking, but I would go even further and say that Icon Labs’ services extend beyond a defensive move that manufacturers can use to protect themselves from lawsuits. Icon Labs’ embedded cybersecurity solutions can also serve as a competitive advantage that manufacturers can promote to assuage consumers’ fears and sell their products. The ROI math could be a powerful argument to help Icon Labs drive topline growth, expand their customer base and get more cash on hand to reinvest into further R&D to stay on top of the ever-present cyber threats we face today.
Thanks for your post! I feel the excitement of connected devices has drawn our attention away from the incredibly important discussion of cyber security with increased linkages between different devices per average consumer. I like that you’ve raised the question of accountability, but I was wondering if there are certain standards and policies that have been set for these different industries and devices foraying into IOT and connected devices? Which body/institution is the gatekeeper of security standards? If there are none right now, then it seems like there is scope for more augmented services like Icon Labs to enter the market and provide this security layer service. To me it sounds like the Antivirus technology in computers, when there was a tremendous growth in PCs and every household has a PC, which was also connected to the internet, it created this new anti-virus market. Will we see similar dynamics in the IOT device security domain? Will consumers drive this change, the manufacturers or the unknown security regulators?
Reading your post was like watching SkyNet slowly taking shape… when will we see the Rise of the Machines! Even when presumably turning a device “off,” data could still feasibly be transmitted from them (e.g., if you turn your iPhone off, what is preventing it from continuing to transmit your location data?). So what’s the best way to manage this? Theoretically all you would need to do is cut the power source, similarly to flipping the switch on the surge protector that your SmartTV, PS4, Alexa, Roku etc. are all connected to. But from a practical perspective, this can be very cumbersome as devices would need to be rebooted and oftentimes reconfigured with every flip of the switch. In an age where hacks are becoming more and more prevalent, it is alarming to realize just how much data we can transmit, and the difficult trade-off this presents between minimizing information sharing and maintaining convenience. Something for us all to be wary about!
Adorable toaster image aside, McGill’s fake toaster experiment is terrifying. And while companies like Icon Labs seem like they might provide some much-needed protection in this space, I wonder who is going to drive manufacturers to incur the expenses needed to make their devices more secure.
I ask that because, although you seem optimistic that regulations will force manufacturers to foot the bill and pass the cost along, the Atlantic article you cite is less optimistic. Waddell cites attorney Michael Zweiback saying that the FTC’s one enforcement action thus far was a missed opportunity, then points out that there are so many poorly secured devices already out there that will be vulnerable for some time, even if the FTC goes to work.
In an environment where the FTC is slow to be able to change things, consumers may not understand the risks posed by the security of their devices, and manufactures are competing on cost, are you bullish about the ability of companies like Icon Labs to create a large presence in the market? Or is the cost of adding security to these devices one that nobody wants to bear?
What worries me about the issue here is that even with ample cyber security protections, everything is still hackable. As of now, I only have a couple connected items(computer and phone) and managing the security on those items can be cumbersome. Seems exhausting to have to worry about countless items in your home. When thinking about connected devices such as a speaker or toaster I was overlooking the security concerns, so thanks for pointing it out.
Thanks for a really revelatory post. I generally think of tech-enabled devices and digitization in terms of how much efficiency and simplicity they create in our lives but it is important to remember the sobering reality that everything is hackable, as you and other comments point out. I think the example of the toaster is particularly powerful because it highlights a product that we assume no one would want to hack, so no one would hack. In the case of Alexa, I’m sure most consumers assume that it would be less desirable to hack than a laptop but that doesn’t mean we aren’t exposing ourselves to serious privacy and security risks.
I wonder how, even with firms like Icon Labs tackling this issue, we will ever reconcile the convenience of technology with the risk of personal information breaches. Similarly, how much security can one firm provide and who’s responsibility is it to protect consumers from hackers–the product creators, the internet service provider, government regulators?
Thanks for the awesome post. Very sobering take on the full repercussions of going digital. I thought of self-driving cars being hacked and how real of a threat that really was. After your article, I think its a VERY real threat and Im curious to see what the OEM will do. Will the responsibility end at Toyota/Fords of the world or go further up the supply chain? Similar to what was discussed during climate change challenge, I wonder how industries will spread out the costs of these security features throughout the entire supply ecosystem.
I think I’ll stick with my conventional toaster-oven for now! As a generally trusting person, thank you for reminding me of the vulnerability of the our increasing use of the Internet of Things. I could definitely benefit from changing a few of my passwords. On that note, I have a single app that stores all of my passwords… thinking this might be a mistake.
In any event, I agree that many manufacturers will be able to benefit from Icon Labs and other firms like it. You mentioned that it appears the manufacturers will be held responsible for maintaining the security of connected devices. I would be curious to see how that burden shifts once a manufacturer utilizes the service provided by Icon Labs. I suspect Icon Labs would have to bear some of it on behalf of the manufacturer?
Fascinating. Another example of digitization making our lives both easier and yet more complicated. I recall the CEO at my last company (a 15,000 person engineering and construction management firm) sharing the statistic that our system had roughly 1,000,000 hacking attempts per day – one explanation of why our IT expenses had ballooned over the last few years. It would be interesting to see for many of these products (e.g. digital toaster) if the net cost/benefit of digitizing is still compelling if it means paying for additional anti-hacking services for the life of that product as well.